The business and culture of our digital lives, from the L.A. Times

McAfee says 'one state actor' behind international hacking spree

August 3, 2011 | 12:36
pm

McAfee Inc. says it has uncovered an international hacking campaign, probably conducted by one government, that has spied on and committed cyber attacks against the networks of 72 other governments and corporations over the last five years.

The Santa Clara-based tech security firm has dubbed the alleged hacking spree "Operation Shady RAT," and noted that 49 of the 72 victims it has identified were located in the U.S. -- making American organizations the main target.

Among those McAfee says were infiltrated and attacked: the U.S. government, the United Nations, the Assn. of Southeast Asian Nations, the governments of Canada, India, Taiwan, South Korea and Vietnam, and a number of companies dealing with construction, energy production, technology, telecommunications, media, sports, economics, finance and real estate.

McAfee, known to most as a maker of retail anti-virus software for computers, stopped short of accusing any one specific government of being behind the hacking spree, but did make clear that it believed there was one "state actor" behind the actions.

"What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth -- closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has 'fallen off the truck' of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries," said Dmitri Alperovitch, McAfee's vice president of threat research, in a blog post detailing the company findings.

"What is happening to all this data -- by now reaching petabytes as a whole -- is still largely an open question. However, if even a fraction of it is used to build better competing products or beat a competitor at a key negotiation (due to having stolen the other team's playbook), the loss represents a massive economic threat not just to individual companies and industries but to entire countries that face the prospect of decreased economic growth in a suddenly more competitive landscape and the loss of jobs in industries that lose out to unscrupulous competitors in another part of the world, not to mention the national security impact of the loss of sensitive intelligence or defense information."

Sports organizations were also targeted, including the International Olympic Committee, the World Anti-Doping Agency and national Olympic committees in both Asia and Western nations, Alperovitch said.

"The interest in the information held at the Asian and Western national Olympic Committees, as well as the International Olympic Committee (IOC) and the World Anti-Doping Agency in the lead-up and immediate follow-up to the 2008 Olympics was particularly intriguing and potentially pointed a finger at a state actor behind the intrusions, because there is likely no commercial benefit to be earned from such hacks," Alperovich said.

"The presence of political nonprofits, such as a private Western organization focused on promotion of democracy around the globe or U.S. national security think tank is also quite illuminating. Hacking the United Nations or the ASEAN (Assn. of Southeast Asian Nations) Secretariat is also not likely a motivation of a group interested only in economic gains."

Alperovitch said that the "vast majority" of the victims have "long since remediated these specific infections," though he questioned whether many realized the potential seriousness of the breaches.

"Although Shady RAT’s scope and duration may shock those who have not been as intimately involved in the investigations into these targeted espionage operations as we have been, I would like to caution you that what I have described here has been one specific operation conducted by a single actor/group," he said.

"We know of many other successful targeted intrusions (not counting cybercrime-related ones) that we are called in to investigate almost weekly, which impact other companies and industries. This is a problem of massive scale that affects nearly every industry and sector of the economies of numerous countries, and the only organizations that are exempt from this threat are those that don't have anything valuable or interesting worth stealing. "